Updated On 25 April, 2023
Third Party Security Breach Is Uber’s Third Breach in 6 Months
Breach summary: In March 2023, New Jersey-based Law firm Genova Burns informed a set of Uber drivers that their sensitive data was compromised due to a cyber-attack on the law firm’s servers and systems in January 2023.
Uber, like all profitable enterprise organizations today, has been a hot target for cyber-attacks since it skyrocketed into the marketplace as the first ride-hailing application that essentially replaced the traditional taxi.
It has a breach history that rivals mature enterprise companies that have been around for decades.
In March 2023, a new Uber data breach has been disclosed – but this time, it’s a third-party security breach.
This is the third time in six months that Uber has been the victim of a data breach.
Uber’s (Lack of) Third Party Security
Due to its extensive breach history throughout the last decade, Uber has had to hire legal counsel from a variety of third parties in recent years. After their most notorious breach (and attempted cover up) of 57M user records in 2016, Uber agreed to a $148 million dollar settlement with the FTC in 2018 that also required them to fix lax security.
One of those privacy program requirements would include building a strong third party risk management program (TRMP). However, it appears a law firm that didn’t have sufficient security controls was a) hired, and b) storing Uber’s sensitive data on their insecure servers.
This breach news unfortunately closely follows another third-party security breach Uber experienced in December 2022 via a digital supply chain vendor, an IT SaaS company that uses AWS’ cloud infrastructure. That third-party vendor breach is further explained in the Uber Breach Timeline section below.
Third Party Security Breaches
Genova Burns is a mid-sized law firm based in New Jersey that represents Uber. In March 2023, they sent a letter to affected Uber drivers, informing them that their confidential information, including names, social security numbers, and tax identification numbers, had been stolen in a data breach of the firm’s IT systems. According to the letter, the firm first became aware of this breach on January 31, 2023. Originally, Genova Burns had been hired to manage Uber’s response to their 2020 data breach that resulted in the theft of driver information.
While Uber did not reveal how many drivers were affected, it released a statement to The Register, an international news outlet, confirming the breached data included personal information on drivers who have completed trips in New Jersey.
The Massive 2016 Breach and Uber’s Attempted Cover-up
Uber has a long breach history, including the massive data breach in 2016, which led to the theft of 57 million customer and driver records. Uber famously tried to cover up the breach by claiming the ransom payment they paid to the thieves was a bug bounty award. This was a violation of legal and ethical standards, as Uber failed to promptly notify regulators and users about the breach. Public firings and lawsuits followed.
In 2018, Uber agreed to a $148M settlement with the U.S. Federal Trade Commission (FTC). The settlement included provisions requiring the company to implement a comprehensive privacy program and undergo regular privacy audits. In October 2022, Joe Sullivan, Uber’s former Chief Security Officer, was convicted of obstruction of justice and misprision – concealing a felony from law enforcement – due to his involvement in the attempted cover-up.
Uber Breach Timeline
Uber has had at least seven data breaches since 2014. Here is a timeline of the known incidents and relevant events:
In May 2014, a hacker gained access to the personal information of 100,000 Uber users, including names, email addresses, and phone numbers. The breach was caused by a software engineer who accidentally shared code on GitHub that gave anyone with the code full administrative privileges on a particular Amazon Web Services server.
Uber suffered a data breach in late 2016 that exposed the personal information of 57 million riders and drivers The 2016 breach was caused by a hacker who gained access to Uber’s internal systems through a phishing attack. In November 2016, a hacker gained access to the personal information of 57 million Uber users and drivers, including names, email addresses, and phone numbers, as well as driver’s license numbers and vehicle license plate numbers. The breach was kept secret for over a year, and Uber paid the hackers $100,000 to delete the stolen data.
In June 2017, drivers and regulators were finally informed of the 2014 breach that exposed the personal information of 50,000 drivers. This was after it was leaked that Uber failed to notify affected users of the 2014 and 2016 breaches in a timely manner.
Six months later, Uber finally disclosed the 2016 breach to customers or regulators in November 2017.
Uber admitted that it had accidentally exposed the personal information of approximately 600,000 drivers and customers due to a software bug. The bug allowed unauthorized access to the names and license numbers of drivers, as well as the names, email addresses, and phone numbers of passengers.
In 2018, Uber agreed to pay a $148 million settlement to the FTC to resolve charges that it had violated the FTC Act by failing to protect the personal information of its drivers. The settlement also required Uber to implement several security measures to protect the personal information of its customers and drivers.
The data of 57 million riders and drivers stolen in 2016 data breach was exposed in an unsecured database, due to a third-party company that was contracted by Uber to provide cloud storage.
The hacker who accessed Uber in September 2022 was a member of the Lapsus$ hacking group. Lapsus$ is a group of cybercriminals who have been responsible for several high-profile data breaches, including breaches of Microsoft, Nvidia, and Samsung. The Lapsus$ hacker, allegedly a teenager, gained access to Uber’s internal systems by purchasing stolen credentials belonging to an Uber employee from a dark web marketplace. The hacker proceeded to use these credentials to log into Uber’s network and steal sensitive data, including source code, financial data, and employee information. The hacker also gained notoriety online by posting screenshots on social media that proved they had internal access to Uber’s driver database, customer database, and financial systems.
Read the hacker’s perspective and see the screenshots from the infamous 2022 Uber breach here.
A breach report was issued by one of Uber’s third-party providers disclosing that Uber user data was compromised due to unauthorized access to an AWS backup server that housed their code and data files. The third-party vendor was an IT SaaS company that provides “IT asset management and smart vending” tools. The vendor disclosed that the stolen data included Uber’s internal system’s device information, such as serial numbers, make, models, technical specification, as well as user Information. The disclosure also states Uber employee data was also exposed, including first and last names, work email address, and work location details. A third-party breach often involves a compromise of sensitive employee data.
Find out how BreachLock can help you protect and defend your HR data security.
Uber suffers a third-party security breach via its legal counsel, Genova Burns, a New Jersey-based law firm.
7 Lessons Learned from Uber’s Security Breaches
When reflecting on the multiple breaches that Uber has experienced, it’s important to understand the enterprise lessons learned so you can help protect your organization from a similar fate.
Using the vectors that attackers used to gain initial access, here are the seven security lessons learned from the last decade of Uber breaches:
- Use strong passwords and change them regularly.
- Use multi-factor authentication or two-factor authentication.
- Be careful about what information you share online, and with whom.
- Be aware of phishing emails and social engineering scams in person, by phone, and online.
- Keep your software, systems, and network patched and up to date.
- Ensure a reputable anti-virus program is in place.<l/i>
- Regularly assess your third-party vendors and suppliers for security and compliance.
When it’s time to vet new vendors in the physical or digital supply chain, organizations can hire BreachLock to conduct a third party security vendor assessment to ensure the enterprise is only working with vendors and suppliers that adhere to existing security and compliance requirements.
Improve Enterprise Security with Pen Testing as a Service
In response to a decade of security breaches, Uber has stated they are investing in more measures to improve their cybersecurity controls and processes.
However, as of Fall 2022, the Lapsus$ gang’s teenager described the company’s security as “awful.” And with the recent third-party security breaches, it’s hard to take an enterprise organization like Uber seriously when they say they are committed to improving cybersecurity.
It’s clear Uber as an enterprise organization can do a better job for their customers when it comes to cybersecurity.
Enterprises like Uber, Marriot, T-Mobile, and others, that have been in the breach headlines time again are not the norm. Most enterprises take proactive steps to prevent data and security breaches. As we enter a new era where today’s cybersecurity defenders are dealing with emerging AI risks, zero-day vulnerabilities, and evolving threat actor TTPs, it’s mission critical for enterprise companies to take every risk mitigation possible to protect their employees’ and customers’ data.
With Pen Testing as a Service, enterprise organizations can stop preventable security breaches by continuously testing early and often with BreachLock’s award-winning, analyst recognized penetration testing platform and human-led, AI-enabled penetration testing services.
See how BreachLock’s Pen Testing as a Service can work for your enterprise security program by scheduling a discovery call today – and how you can stop preventable breaches before they hit the breach headlines.